 So this is the night the lights went out in Vegas, a demystified and smart mirror networks. I'm Barrett Weissart, I'm a consultant with Troseway's Spider Labs and with me is Garrett Picchioni from the University of Arizona and let's kind of dive in here. So really what we sought to do since a lot's been made in the news in the last few years, a smart meter, smart grid and such and there's even been some security research. Ah, good, better. Oh, that one. Move that. All right, full start. I break things without even trying so. Stand on one leg. Oh, I thought you had the... Oh, gotcha. Okay, thank you much. Thank you to our wonderful technical staff. Let's try this again. All right, starting back up. So really what we sought to do since there's been a lot made in the news and really a lot of fear and certainty and doubt put in about what this market is, how vulnerable it is and such, as well as a few quality security presentations the last few years on how susceptible meters are to vulnerabilities and the hacking and things. We kind of sought to kind of cut through the bull to try to find out really what's the underlying technology, what are we dealing with here and to kind of go at it from a network traffic-based approach. So how do these devices communicate, you know, what concepts are at play, what protocols are at use, just how do these things tick? And just a caveat, we aren't, you know, RF gods, skid experts, industry insiders, hardware gods, we're really just pentesters and network geeks. So just enthusiasts, people who are just curious about this and kind of coming at it from a security fundamentals perspective. So what this presentation is not, so we're not here to own the smart grid, smart meters, anything like that. This isn't how to get free power. Obviously, regardless of what you may or may not do, you know, sometimes look before you leave, exercise a little bit of caution. This lets you be the one carded off stage. It's a bit of a gray area in terms of some of the some of the concepts involved, but better safe than sorry. And finally, this is not how to black out Las Vegas. If the power does go out, I've got a flashlight and some hand puppets, but not as much exciting as a as a PowerPoint. And finally, this, you know, it's not oceans 11, 12 or 13. I'm not George Clooney. Garrett's a poor man's Matt Damon at best. So so let's get into it a little bit. So what's really what is smart metering? And in order to understand this, we'll go back to a bit of a history lesson. And as you can see from the man staring intently at the meter with some sort of techno lust in his eyes. Basically, meters since the dawn of basically the age of electricity and to kind of back up a second to when we say when we make reference to the smart grid and smart meters and things like that, we're primarily referring to electrical utilities, but you can transpose a lot of these concepts to gas and water as well. Those are coming into play a little bit. So first generation meters, got a guy comes out in the van, barks his van and takes a look at your meter, takes a reading, goes back, does it once a month, you know, works, works decently well, pretty manual of sorts. But obviously it's a slow cumbersome process, not really any way to forecast demand in any great detail. And it's a high overhead. You've got a lot of people coming out, meeting reading meters, going back and you know, you rely on his readings and whatnot. So decided to have to be kind of a bit of a better way. So second generation meters kind of a one way technology. So replace that guy out looking at your meter with a guy, you know, a little portable unit or a van, drives around, takes a reading from the curb, you know, drives around in the neighborhood and such. So obviously this is a bit of an improvement. You know, you've got you've got, you know, a little bit of efficiency of scale and such. But again, you're still, you're doing monthly readings. So you're not really getting a quality demand forecast or anything interesting like that. So again, there's a bit of improvement here. So introduction to, I guess, the third generation meters, the automated metering infrastructure. So AMI. Now, the idea of this is you create, in effect, a large closed off basically system, a metropolitan wireless network of itself wherein the meters can communicate in a two way fashion. So generally, the idea is that you have your meters, small transceiver sorts, communicate with either relay towers or directly to the central utility via some mechanism. We'll get to that in a second. And the idea is that you can basically pass a variety of information back and forth and do a lot of things that would not require you to actually send out a manual human or do a thing of that nature. So first question, why? Why would we want to do something like this? Well, the utilities have quite a bit of a reason why. And we're stating this without any sort of bias as to whether the viability or efficacy of these options for the utility of the consumer. But first of all, to be able to reduce staff overhead on the part of the utility, you take away all those guys in vans for better or for worse, obviously. Economic times, you cut a lot of jobs. But the idea is, hey, I don't have to send all those people out in vans with any sort of equipment. And hey, I can just get an idea, get a read from the central office. Second, if I want to start a stop-a-meter, usually you've got to schedule a date for that guy, comes out, doesn't miss this at least. Well, this one I can just start and stop service basically instantaneously if I really want. Third, and perhaps most importantly, you can actually get a pretty good forecast for demand. You can monitor, basically you can monitor meters hourly, daily, whatnot, and get an idea for what the peak demand is. And with the idea of creating a more sort of a more reliable grid, the idea that you can hopefully have fewer blackouts, brownouts, and such. And of course, something that the utility is probably really like, demand pricing. So during peak areas, and people who probably still have cell phones with peak minutes and things like that will know this is, you know, you make a demand for electricity during a peak time, well, you get charged more. And in theory, they want this to kind of shape customer demand, but also it does bring in more profit. So on the consumer side, well, what are we getting out of this? Now the idea is the consumer can actually monitor and track their own consumption. Usually the utility will have some sort of portal that they can kind of look and say, well, use X number kilowatt hours, X number gallons of water, you know, whatnot. And the idea, well, in theory, you can say, well, gosh, I really was running my air conditioner all this time last month. Okay, I'm going to try to adjust and we'll see how it reacts on a day to day or hour to hour basis. Second, the utilities have this idea of a grand future with smart appliances. So I can actually have an opt-in where my air conditioner will say, okay, I'm part of the utilities demand program. So it's the peak of summer. There's a tremendous demand for, you know, air conditioners, fridges, all sorts of cooling equipment. I can actually say, well, I'd like to opt-in to where the utility can, you know, lower my air conditioner a couple degrees, turn off entirely, or basically have some sort of control over my energy consumption. And the idea of it being either the same or reduced costs. Because if it's the same cost for the consumer, in theory, you still have an enhanced infrastructure. And if it's reduced costs, well, even better for the consumer. So next, Garrett's going to get into what makes up a typical smart meter. Okay, so the smart meter's hardware is, with some subtle changes, it's more or less the same give or take across vendors. You still have the basic idea of a core set of components. Like Garrett said earlier, our talk is mainly geared towards electric meters, but the same concepts can be applied also in the gas and water industry as well, because they're also attempting to implement this kind of technology as well for the same ideas. Typical hardware that you're going to find in a meter, it's pretty basic. You've got a 32-bit ARM processor or something similar, 256K of RAM, so really, really tiny footprint here, and only 512K of flash memory here. And that's, you know, in terms of storage and running the firmware and stuff, that's really all you need. A transceiver, those can, those are a little bit different, depending on the vendor, we'll get to that in a bit. And some sort of communication method, and in most cases, it's just regular TCP IP. The idea behind these is that you want to have as small of a footprint as possible and have, you know, a core set of, you know, a couple of features that just work really well and are just absolutely solid on this platform, and you want to have it, you know, cost-effective so that way the electric companies can roll these out to, you know, a few million person city without having a overwhelming impact on their costs. You also want to have the idea of these meters, we still need them to report because they're running off of, you know, the power grid in some sense. Well, what happens when there's a blackout? So they do need to have some sort of auxiliary power, if you will, so that way they are able to report during blackouts saying, hey, you know, this house is without power and things of that nature, so instead of the way that it's currently set where, you know, you rely on the power, or the utility companies rely on customers calling to complain when there's an outage, you know, in this case the meter will just report it for you instead, which is kind of a win-win situation there. And that's, yeah, pretty much the basics of it. It's all pretty simple. So next we're going to kind of look into a different types of smart meters and how they communicate. So, you know, what are the tubes or the virtual wireless tubes? So first, and probably the most popular type of solution out there that you might see, perhaps your local municipality or whatnot is license spectrum. A lot of these meter makers have basically begun to bind up just very narrow bits of license spectrum in the 900 megahertz range. And what they do within that range is sort of produce transmission reliability, even though technically they should be the only thing transmitting in that region. They also utilize things like frequency-hopping-spread-spectrum, frequency-shift-keying and a variety of things to kind of make sure that there's minimal interference. And this really introduces quite a bit of reliability in transmission. So that way, you know, your meters are communicating, there are fewer outages, and that way you try to keep things online and talking to home as much as possible. The idea that it's actually a hybrid star mesh network, so you've actually got a meter, if you could see here in the diagram with the wonderful red houses and such, that basically normally you would have a home and a meter communicating directly with one or more relay towers back to the central, basically the central utility. But the idea is that you actually can also have another meter pass off a message through an adjacent meter. It's known as buddy mode in certain implementations that it can basically pass off messages if it's out of radio range. So if you've got, for whatever reason, the meter on your house isn't quite talking to the base station, it can basically pass it off through your neighbor's meter, for better or for worse. And essentially it provides quite a few advantages. Again, like I said, reliability. You've got, you know, pretty reliable transmission given those technologies. Longevity. You've actually, I mean, you've bought the whole system end to end. You own the meters, the relay towers, the central, you know, the central receiver and such. And so, you know, the idea, you can basically use it perpetually as long as you feel licensed for that band is renewed. So kind of some of the other interesting things about this, you may, they actually do it or do some preliminary security features. They usually, meters are actually sent out of the factory with a unique AS encryption key. And the idea that you can actually have keys for unique for each meter as well as keys for each group in the utility. So I could actually, that message that I sent from my meter through my neighbor, my neighbor can't actually read what the message is because that key is shared between myself and the central utility. And the idea is that all these keys are shared between the meters and the utility such that if a meter perhaps is taken offline or something happens, I should be able to revoke that key from the central location and that meter is effectively knocked off in theory again. So again, a couple of the other things they typically include some, you know, pretty reasonable basic physical security tamper controls, things like that. Let's see some of the other things. And, you know, it's kind of a long and short of sort of the basis of it. And some of the caveats, unfortunately, is that, you know, the overhead you have to buy the system end to end. And also it's proprietary for now. They are moving towards the standard. We'll get to that in a second. But right now, really a lot of these different implementations do things in different ways. So if you buy meters from vendor A, you're probably locked in end to end for equipment from vendor A. Okay. So the next type of meter that you're going to commonly see is one that communicates based off of a cell network as opposed to, you know, your own license spec infrastructure. They're primarily GSM based. So here are the states that pretty much limit you to AT&T mobile. Some vendors offer a CDMA option, but it's really, it's not widely used. They don't really advertise it a whole lot. It's just a, you know, if you absolutely have to have it, it's there. And it's point to point connectivity. So, you know, the meter is talking directly over, directly from, you know, itself up to the utility station. The advantages of that is, you know, you're already using existing infrastructure. You do not have to roll out your own license spec set up or anything like that. You, you know, you rely on the cell, you rely on AT&T or T-Mobile to do it for you. And, you know, you worry about them. You take that for what you will, I guess. You know, you let them spend the money to roll out, roll out service and coverage into other, you know, into other areas. You don't have to worry about that. You know, your coverage, cell networks in one, in one form or another are just about everywhere. It's pretty difficult nowadays to find a place within a reason, I guess, that, you know, at least, that you at least can't get some sort of signal to transmit something. And you have the, you have the layered security of GSM. I don't know how secure that is now, thanks to Chris's talk a couple hours ago, but it's at least there. So, you know, it's not like you're cracking web networks or anything like that. There is at least some sort of layered security. And, you know, the possibility of having a VPN tunnel between the meter and the utility station for that kind of direct point-to-point connectivity. Your disadvantages, you're really at the, you know, the mercy of whoever you're contracting for the cell carriers. I mean, if, you know, a telco decides to change a new standard or change to a new, you know, set of form of infrastructure and, you know, the meters are just incompatible with it for one reason or another. It's, you know, tough luck, I guess. Figure out a solution. You know, I would assume that they would attempt to work with you, but, you know, the power companies are, you know, not going to probably stop cell networks from expanding or rolling out new technologies and things like that. And, you know, is it kind of, is it future-proof? Well, our cell, you know, our, I'm sure cell networks for now seem pretty solid, but how long really, you know, we've been using basic utility meters for, you know, since power, you know, since power first started and, you know, cell infrastructures are really only coming to play within the last, you know, 20, 30 years or so. And just a couple of things to think of, I guess. So just for his third example is kind of a couple other minor implementations. And I say minor just because you don't see them as often in the states. You may actually see a power line. The idea is that your metering infrastructure is basically done over the same lines that transmit your power. And just because of the attenuation and the distance runs, you really see this in more small regions within countries in the EU, really in Japan, things like that. It's really, again, not really that common in North America. So it's a bit of a minor player. Broadband, it's just sort of interesting. They actually, there's been some specs out there for just sort of an open communication network. And it's very media-magnostic. And they use just a variety of existing transmission technologies. So in effect, you basically are putting open to using, you know, broadband, whether it's metropolitan Wi-Fi or basically 4G or whatnot. So the idea that you could basically create a sort of a set of standards and again, pretty much TCP IP based that you could talk to, utilizing it, it's going to be very similar. In other words, things like, you know, GPRS and the idea that you can be flexible, I guess, with the leveraged existing technologies. So next, you see how basically, how you communicate with the meter. Well, so what can you do inside your home once it goes inside the meter? So basically the idea of home area networks and smart appliances. So it's going to haunt home area network. And, you know, I'm sure a lot of you in the past have played with X10 and things like that. But so the idea about this is that you create something that's going to be a universal device interface that can communicate. You have a home controller and it can communicate with, you know, your air conditioner, your fridge, down to your remote control and maybe even your security system. So a variety of things. But obviously the challenges for that, if you want to have sensors on every last window, your doorbell, you know, your remote, you have to have something that's a pretty small footprint, pretty low power. And that's kind of where Wi-Fi and Bluetooth kind of get knocked off just because, you know, you're not going to have a remote control, but it's using 802.11 just because of the high power costs. And you're not using Bluetooth just because it is fairly high power as well as it has a pretty long wake up time. So it's not really that good for instantaneous communication. It has to be secure on some level. I mean, you really don't want your neighbors playing with your stereo or, you know, disabling your security system when you're out of town. So, you know, you have to have some sort of security mechanism. And that's pretty much where X10 kind of drops off the map, as well as the fact that X10 has a very, just very paltry transmission bandwidth for things like that. So, but still, despite that, we still need something that's low bandwidth. I mean, not, you know, pretty efficient. All you really need to do is send some sort of command, some sort of basic data set. So the thing that's been kind of the leader, or at least the winner in this so far has been Zigbee. So it's actually, part of it is the IEEE 802-154, which basically specifies the physical and actually the data link layer. Zigbee kind of goes all the way up to the application profile, basically all the way up. And it's not TCPIP, but it uses a very similar OSI model. So for practical and sensitive purposes, you can kind of kind of intuit one over to the other. Again, it's a bit of a mesh star cluster topology. You can have devices relay for one or the other back to your sort of master controller, or coordinator, I guess is the proper term. It's pretty low bandwidth about, you know, 250 kilobits a second. So not too much. It's actually, it's sort of, if you want to think of it, it's almost kind of like a bit of a peer-to-peer network of sorts. It's also another good kind of metaphor. And it was originally developed for industrial implementation, but the idea is it kind of carried over into home use just because they thought they could find kind of advantages for it. And so really, it's got a pretty short transmission range, about 100 feet. So you want things that'll stay inside the home, nothing that carries down the block and on average, of course. So really what's some of the interaction that you'd want to be doing, let's say, you know, let's say you take your car in for service, you know, you get on board diagnostics. Well, let's say your fridge compressor goes out of your fridge, your compressor is failing. Your fridge notifies you and says, hey, you know, I noticed my compressor is failing, you better dispatch someone. Saves you a little bit of headache and time and worry. You actually have, let's say, a window says, okay, my window break just broke, okay, trip the alarm, things like that. So you basically actually have different types of devices with different types of profiles depending on what use. And again, this is actually secured by AES and it's actually kind of, I guess, the trend in which AES is moving towards, for those of you who know a little bit about WPA2 with AES CCMP, you basically are turning a block cipher into a stream cipher. So they actually use something called EAX, which is sort of a less complicated version of CCM, the idea that you're basically chaining block to block without getting too much down the crypto path there. So, and let's, after that let's do a little bit of kind of the security policy implications of all this, which is kind of the crux of everything, right? So basically what we want to know is, is this secure? And this is actually a damning question that used to be asked by a professor of mine that they turn after showing a solution and basically say, okay, so is this secure? And you'd be absolutely paralyzed to actually answer this question because you're afraid if you said yes, you'd have to explain why. And if you said no, you'd also have to explain why. In either way, if you're wrong, he'd absolutely just carve you up with the absolute correct answer. So to really answer this question, it does depend. And again, you know, the best security in the world can be kind of cut apart by a poor implementation. So you have to ask yourself a few questions. So first of all, who are our attackers? Now, you may have someone who's just as enthusiastic, kind of a thrill-seeker, someone who's curious. I can't imagine there are too many of those people here. You have people, just vandals, people who kind of want to say, well, hey, if I can black out my neighbor, let's just mess with my neighbor. Let's, you know, turn his laundry on or, you know, make his fridge burn out or, you know, just mess with people, vandals of sorts. And then of course, probably the most interesting and probably the most dangerous type of this are basically, you know, let's say, you know, terrorism, espionage, people who actually are pretty well funded, pretty well intent on saying if I can get control of this infrastructure, I could do some serious damage. I mean, I can, let's say I can turn off the alarm system for a bank, I can black out an entire grid and cost havoc. You know, it's a whole variety of things. So the second, it really only makes sense to use, if you use all the features. So a lot of manufacturers say, well, gosh, we've got this, we've got AS, we've got, we introduce entropy, we do this. And then they say, oh, by the way, all these features are optional. And, well, yeah, if you strip out all the features, for example, the 900 megahertz system, you're basically less left with frequency hopping spread spectrum, which in itself, if you don't know the hop schedule, isn't, it's okay as far as it is somewhat of a measure, except, well, let's say I go disassemble a meter, buy a meter on eBay, I get the hop schedule, and it's just like you were, you know, passing it across, you know, in the clear. So there, obviously, again, as Garrett mentioned, reliance on third party security, you're putting yourself at the mercy of someone else's solution. And, you know, I'll utility say, well, we don't really know a whole lot about that. We'll just rely on AT&T to really kind of figure out what's going on. A lot of GPRS meter manufacturers will say, well, our network is private IP because, hey, that way, no one can route to it. Well, so is every cell phone. So again, you know, some of these things that are touted as features are what we call feature fluff. It's just these are things which are touted as features, but not really explained well, or just sort of a bunch of just crap thrown onto a piece of paper without actual context. And some of the other things, security through obscurity, it definitely, for example, like I say, well, we use the proprietary frequency shift key and schedule. You won't actually, you know, hey, they don't know it, it's not published, you won't be able to find it. Well, again, I grabbed myself a meter, I'll find it. Some of the proprietary command sets, well, how do people know how to send commands to meters, our data set isn't published. Well, again, people with enough time will find a way. And probably most important of all is physical security. As anyone knows, really, you can implement the best system known in mankind, but if I can physically access your devices, you're pretty much out of luck. So the idea, let's say, I want to find out the frequency shift key, the frequency hopping schedule. So let's say, okay, I don't want to take apart my meter because then they might think it's me. Well, I don't really like my neighbor. I'm just going to steal his meter. They all talk in the same hop schedule. Well, bam, there I am. So again, physical security, you really, you have to keep that into account. For example, in my particular complex, the meters are behind a locked door. So it's not too bad. It's at least an additional measure. So it's something good to take into account. Again, the location, actually the spread nature of the network actually helps. It's sort of a, both a blessing and a curse. The idea that if I want to attack the network, I can basically go anywhere the network is. So with buddy mode, I can pass commands off anywhere there's a meter. So it makes attacks on the network pretty hard to trace or diagnose. And again, kind of as a follow-up to physical security, you really have to be able to respond to incidents as they happen. So meter X is compromised while immediately revoke its key so it can't communicate for the network. And, you know, if you're anything like me, when you first read about a lot of the AES stuff, you said, well, why don't they just use PKI or something of that nature? Well, you got to take into account, you're dealing with a system where every meter is inherently set up to be trusted, basically an explicit trust. So the idea is that if that key is compromising a sort of way, you should be able to revoke it at the core and have the security system be retained. Okay, so these are kind of the current, these are some, you know, marketing, I would call them marketing because they're not very technical, even though that was what the some of the some vendors were trying to portray them as that I thought were a little entertaining. They, you know, they told me not to, so I won't. This was a this was a quote off of a promotional material for a meter. Our network is secure, you know, they're telling you because we're purchasing license spec on the 900 megahertz, you know, spectrum that that inherently means just because we own that for the time being that nobody could ever ever want to go do that just because the FCC says that you're not allowed to. And well, obviously, probably not so much, especially with, you know, folks here and everyone else that are just kind of, you know, wanting to play around with things. Transmissions cannot be duplicated using off-the-shelf equipment with a, you know, if we have this outstanding device called the USRP, which is a, you know, is a software radio if you aren't familiar with it. And, you know, with that, and I can get a transceiver that broadcasts on 900, you know, transmits and receives on 900 megahertz as well with some, you know, with a little bit of development or developer knowledge, I can customize the USRP in such a way that, you know, I should have, I should have no difficulties at least, you know, trying to pick up traffic and then once you pick it up from there, it's, you know, it's only a matter of time, depending on the security that's in place, on whether or not you can read it or do something with it in some capacity. Critical infrastructure, so there's, that's a, for those that are unfamiliar, that's a designation by the Department of Homeland Security. They consider certain things to be quote unquote critical infrastructures like, you know, the electric grid, water grid, sewer, you know, et cetera, et cetera. They don't inherently, they don't explicitly say this, but does it say, you know, a local telco decides to use a meter that's based off of GSM, because of that, by proxy, does that mean that, you know, AT&T or what have you is now that network in that city from AT&T is that considered to be critical infrastructure and falls under the same, you know, extra protections that the, the, the Homeland Department of Homeland Security may offer to other, other, you know, critical pieces of infrastructure. Here's a couple more implement, you know, implications. If we're going to do this, you know, if, if this is actually going to happen and they're going to make a, you know, the utility companies are going to make a massive infrastructure change and roll these meters out, there needs to be a couple of sanity checks first, like in, in the first case, you know, we need to make sure that the meters actually work properly. California, PG&E tried to roll smart meters out and had a heck of a time with it when they realized that the meters were not billing correctly. Folks were getting bills or for, for a service utilization that were, you know, two and three times what they were normally using. And, you know, it's just these basic fundamental things that you need to make sure actually work before you go out and roll these out to a city. You know, there's also privacy issues as well. You know, appliance control, electrical surveillance, you know, the appliance control, if you opt in to the, you know, the service that the utility companies offer or, you know, they may adjust your appliances for you depending on, you know, the amount of utilization on the grid, you know, things like that. There's also, there's a lot of security that goes into preventing somebody from actually tampering with the meter. You know, there's accelerometers in them and tilt sensors and things like that to detect if somebody is trying to remove the meter. And a bunch of security that prevents the average consumer from trying to tamper with them in any way. But there's really not a whole lot of set policies in place on preventing maybe the electric company from doing things that maybe you perhaps don't want them to with your appliances and their, you know, and their policies like that. There's really no, it's kind of, the security is one way but it's definitely not the other way. There's no real policy in place on what could the electric company do with my washing machine. Could they just shut my AC off because, you know, when it's 100 degrees outside just because they're having peak demand at that time. You know, things like that. You can also, I mean, you can monitor appliances and based off of utilization trends and things like that, the utility companies can get a good idea of when you're turning your washing machine on or when you're using your electric oven and things like that. And I guess if you're one that's trying to live in a world of complete secrecy and anonymity you may have a problem with that. But it's, I don't know, it's probably something that not a whole lot of people will think about. I mean, your TV companies monitor your TV channel trends and the police departments, you know, watch things like the sewers and to see if, you know, perhaps drugs are being flushed down to try and sniff out drug houses and, you know, things like that. There's all these little things that are done transparently by the government or by companies in the background that I guess depending on who you are is whether or not you may actually care. So, with that in mind, who really ultimately benefits from these new implementations? And, you know, the first answer may be utilities. Well, no, seriously, utilities. The really upfront, they have cost savings. We discussed that previously. They've got enhanced ability to monitor control, demand, fluctuate pricing, all sorts of benefits. Plus, on top of that, due to the American Reinvestment and Recovery Act, the government is actually giving them money for certain implementations, just as a provision of that. They do have some provisions in that act to require security to be in place, but it's not entirely clear what those provisions might actually be. And, in some cases, where the utilities have botched an implementation of smart meters, they are under no illusions that they can't just pass the cost on to consumers. So, now on the other side, the poor consumer. Well, if you think about it, really, your utilities are a lot like gas. Let's say you commute. You really can't avoid not buying gas. It's a pretty inelastic demand, much the same as if your favorite TV show comes on seven at seven, you can opt not to watch it. But, ultimately, you're going to be employing some sort of device that uses the consumer's power, whether you record it, watch your TV. I'm not going to do my dishes at three in the morning. I'm not going to start vacuuming the floors at all hours of the night. Realistically, the consumer's not really going to change their habits just because they have fluctuating demand and prices like that. So, really, ultimately, the consumer's probably going to get more benefit from actually having power saving and power conscious devices. So, let's see, a ZigBeeware fridge. If anyone's ever saw LG's $10,000 smart tablet fridge that really was, yeah, not very well selling a few years ago, a picture of a version of that that actually works. And, let's say when your fridge has fewer groceries and it backs off on the cooling or, let's say, you can have something that just is ultimately a little more power thrifty. Ultimately, probably the biggest beneficiaries on the consumer side of this are going to be manufacturing. So, you can actually, manufacturers will say, I can totally schedule my shift for 2 a.m. where there are lower rates for process runs. So, absolutely, I can see some consumer benefit in that particular area. So, really, where is this going? And, unfortunately, like it or not, this is coming. This is where the smart grid is going. More and more implementations are being rolled out. And, the good news is it's a replacement of some aging infrastructure and I won't really comment. As again, I'm not a SCADA expert, but as people have seen with things like a lot of the link auto run things, that there are attacks out there that target SCADA systems specifically. So, if this is part of a rollout of a more enhanced and hopefully more well thought out infrastructure in terms of security, it's probably going to ultimately be a positive thing. However, we do need a standard. A lot of these systems do use TCP IP as their backbone, but as far as what messages they send, how they send them, and the rate at which they send them, et cetera, are still very proprietary and vendor specific. However, there are two standards out there that are being championed by a few vendors, ANSI 12.19, which is the idea for the data that's sent by a meeting system and 12.22, which is actually the protocol for how it's said data is actually transmitted over the wire and usually over TCP IP. I believe there might actually be an IETF draft for that out there somewhere. Finally, and really everyone plays a role in how these systems are coming to you. Utilities, they really have a responsibility to deploy securely and responsibly, whether they will or not, probably remains to be seen. The government really needs to, if they say it's critical infrastructure and they're really clamping down on this, they really need to continue to regulate this somewhat, modestly, not overtly, but they really need to keep an eye out to make sure that utilities don't practice price gouging or any sort of counterproductive things. Again, it's going to be some form of capitalism, but since the system is not like, this isn't a paintball arena, this is something which I need electricity, I need clean water, I need gas or whatnot, this is something you need to look at. As the consumer, you really need to advocate whether with your vote or just by raising awareness, just by learning more by attending talks such as these to basically find out how these systems are being deployed and really what's going on in your specific municipality. So it's kind of some of our two do's. As far as actual testing, it was kind of a paltry thing just because with a lot of these utilities are very, very shy at gaining approval. Obviously, we could go ahead and at least gain a little more insidious by FCC be damned, try a few things, but really, ultimately, you really want to construct a legitimate, repeatable test environment. We'd really like that to be able to say, okay, let's basically have something that's a little more empirical and a little chaotic to actually determine how things tick and to sort of benefit and to kind of break down things. And ultimately a true examination of the smart mirror network from a pentest standpoint. I mean, it's CCPIP. Once you're able to legitimately get on the network, a lot of those concepts that you're used to are going to be in play again. So really from that, questions. I think, I mean, from an overall from a human behavioral standpoint, I can absolutely see changes in demand. But as far as just because someone says, well, your kilowatt hour price is two cents higher, I don't necessarily know if that specific is going to get you to change your behavior. I think when it comes to say, okay, guys, we just use $400 worth of heating this last month, the bottom line, yeah, the dollar signs will probably get people to change their costs as opposed to the ability to see your demand in more micro time slices. I think in terms of, you know, the elasticity in comparison to whether or not people are willing to make lifestyle changes for perhaps lower rates and things like that, I think that where you will see these lifestyle changes are with things that that don't require any interaction like charging your electric car or maybe starting the washer when you go to bed or something like something to that effect. But something as opposed to I guess, you know, vacuuming your house or, you know, doing your dishes or something to that effect, that's probably not something that you're going to be willing to do it two or three o'clock in the morning just to save a couple of pennies on a kilowatt hour. And I think that'll also be very kind of capitalistically driven just by the idea that, like you said, auto manufacturers, if you give me a wonderful electric car, that will motivate me to change my behavior more so than the utility is saying, you know, hey, look, I, you know, basically smart me drain less so and products and services more so. Not as much. I mean, I know that was definitely something we came across when kind of doing the preparation. But I think for the most part that that would lead more towards definitely from a hardware perspective. And admittedly, we are definitely a little hardware light from specifics. I know the presentation, the IO actor presentation last year is actually pretty rock solid in terms of kind of basically a little under the hood as far as some of those particular types of devices. And I think, yeah, I mean, it's definitely interesting, but definitely something that was a little out of our purview for this talk. Oh, definitely. Yeah, phase two, we're definitely looking forward to kind of amping up a little bit. Bad pun intended. I'd be a little wary about maybe directly plugging into perhaps your meter if they're charging you for it. I know just because of existing laws and regulations and things like that, the power company or utility companies in general get really nasty if you start messing with their stuff in ways that they do not want you to. And I mean, that actually that would be a legitimate security gap. A lot of things just because once again, there's a lot of ways that utilities want to prevent you from tinkering with their equipment, but they've absolutely left out how in a lot of these participation programs, what they can do with your equipment. I mean, the sort of any sort of access controls pertaining to your home devices, they apparently there's not a whole lot in the way of conscious thought on behalf of utilities on this yet. I mean, it's unfortunately some of those some of those implementations are I think they try to basically try to keep the system as stable as possible. But I think at the end of the day, it's it's it's basically more towards I guess the by micro measurements, you increase the stable stability of the system as a whole by being able to predict that demand and hopefully decrease the amount of interruptions. But again, that's hopefully it's going to be an exact science, but hopefully as time goes on, it'll be something that they will get a little bit better at. I mean, if you think, for example, the airline industry has up to the minute forecast for demand for seating and things like that. And after all this time, they've gotten pretty good about knowing exactly how much you'll pay for, you know, a flight to Phoenix. So hopefully something similar will happen in the utility industry. But again, it's kind of a wait and see. A lot of the actual specifics, I think, are going to be left up to the manufacturers as to what the feature set is your home ideally is going to be ultimately controlled by a ZigBee coordination module. So the idea is the minute that stops communicating, or as some sort of, I guess, abnormal condition, you would hope that in theory, that that would be that device would communicate that to the home coordinator. And basically that would relay it to you by some sort of alert mechanism. As far as actual concrete, what they're going to be able to do, can I control the temperature? Can I overheat my fridge? Let's say my, you know, if you think about it, let's say, you know, Wi-Fi of 10 years ago, you know, just abysmal, basically, you know, usually web or nothing. So let's say a manufacturer starts shipping ZigBee enabled or ZigBee aware devices with, you know, default settings or something like that. Well, can I join your fridge to my network and then immediately say I'd like that fridge to turn off the cooling or things like that? So hopefully it'll be a combination of reasonable default security plus a fairly fine-grained feature set so you can't do something to, you know, to physically ruin the device. If you think about, like, for example, if you remember monitors 20 years ago, I think there was actually a virus out there that would basically destroy your CRT just by saying the sig mode out and eventually they finally learned enough to say, okay, we can actually implement this in hardware such that I cannot set, you know, conditions such that I can physically damage the hardware. So hopefully that'll be something similar, but appliance manufacturers are usually pretty slow to implement this stuff because it's an extra cost. If there's no buy-in, they feel like there's been a colossal waste of money. And plus, everyone likes to bicker over a standard. Looks like we're getting the, we're getting the cutoff here. We're going to be in, which will be a 112. So if anybody else has any other questions, feel free to stop by and kind of pick our brains, I guess. Thank you very much.